People often use the term “variant” to refer to physical viruses that infect their bodies, but a different kind of variant is infecting computers—what Microsoft Security Intelligence refers to as the Sysrv-K variant.
Sysrv-K takes advantage of web frameworks and WordPress vulnerabilities and uses them to attack Windows and Linux servers. Once inside, according to a May 2022 report by Threatpost, the variant deploys crypto-mining malware. This makes it possible for hackers to use a device’s resources to mine crypto. The impact on the user’s system varies, ranging from low memory to overheating to complete system failure.
Sysrv-K is a botnet. These illicit networks of computers are able to levy attacks on a broad scale, wreaking havoc around the globe. In the case of Sysrv-K, it seems the threat is being contained. Microsoft tweeted just recently, “These vulnerabilities […] have all been addressed by security updates.”
So how does Sysrv-K work?
It scans for WordPress configuration files—as well as their backups—to try to steal database credentials, which it then uses to take over a web server. Sysrv-K can then ratchet the threat level up a notch by using a Telegram bot to communicate with other systems. A Telegram bot is not naturally part of a botnet and is designed by the company Telegram for benevolent communication between regular users. But the Sysrv-K botnet is able to abuse it for its own benefit.
Unlike Sysrv-K, not all bots are used for evil, and many are actually quite helpful. But cybercriminals, as they often do with other technologies, have found ways of putting them to nefarious use.
The Evolution of Bots
Bots have been around for many years, and in many cases, people’s interaction with them is mostly benevolent. For example, early internet bots were responsible for scraping, which involves automatically looking for things on the internet. Search engines still scrape websites today.
Then, bots progressed, and many of their newer uses involved nefarious activity, such as distributed denial-of-service (DDoS) attacks and advertising fraud. With a DDoS attack, a bot sends many false requests to a web server, inundating it to the point it becomes too busy to handle legitimate user requests. Bots that perform ad fraud make it look like an ad has been clicked on many times by a real human, disproportionately skewing the advertising metrics used to judge ad success and decide how much the advertiser pays.
Soon, bots got even more sophisticated, executing account takeovers in which user accounts are hacked and then taken over, with the bot helping a hacker change permissions, steal money, or exfiltrate data. Bots have progressed even further—now they can attack an application programming interface (API) and impact how it interacts with websites and other applications.
What Are Bot Threats?
Bot threats involve bot networks that infect your computer like a parasite and use its resources to execute bot attacks. In this way, a bot network or botnet is a lot like the Borg from Star Trek. One bot alone is somewhat dangerous, but as a collective, they’re a powerful, automated, synchronized force for evil.
Botnets work by infecting your computer, making it their very own Locutus, and using its processing power and connection to the internet to launch large-scale attacks that would otherwise be impossible.
For example, for a DDoS attack to be successful, it needs to send enough requests to overwhelm a server. With enough computers in the botnet, this is easy. The good news for users is that with the right anti-malware software, you can get rid of the bot—turning Locutus back to Picard, and continue boldly going where no one has gone before.
The 3 Most Common Types of Bot Attacks
The three most common kinds of bot attacks in the most recent phase of bot evolution include phishing, DDoS attacks, and spam bots.
A phishing attack involves an attempt to get someone to click on a link and divulge sensitive information, typically using an email that appears to come from a legitimate source. The user, not suspecting malicious intentions, clicks on something inside the email and then one of a few things happens:
- The link secretly installs malware on the user’s computer, with the user not noticing the installation happening
- The link installs another kind of software that has malware embedded in it
- The link brings the user to a site that’s pretending to be legitimate. Once they arrive, botware gets installed on the user’s computer, bringing it into the bot collective
When malware gets installed on a computer, it’s quickly assimilated into the rest of the bot network. You may only notice symptoms, such as:
- The computer is running hotter than normal
- There’s a lot of memory being used even though you’re performing relatively simple tasks
- The computer restarts or shuts down randomly
These kinds of attacks have been increasing in frequency. According to a report by Proofpoint, 78% of organizations saw an increase in the amount of phishing attacks in 2021. The data was gathered from a survey involving 600 InfoSec professionals and 3,500 workers spanning the United States, France, Germany, Australia, Japan, Spain, and the UK.
Cloudflare’s DDoS Attack Trends for Q4 2021 report revealed that the Cloudflare network saw “record-breaking HTTP DDoS attacks and network-layer attacks” in the second half of 2021. Q4 also experienced a 29% increase in ransom DDoS attacks.
A ransom DDoS attack is one in which a cybercriminal threatens to launch a DDoS attack against a company unless they pay them off. In this way, hackers use the threat of DDoS to extort money from organizations.
As mentioned above, a DDoS attack can render a web server useless by sending it so many requests that it no longer has enough bandwidth to manage legitimate requests from real users. Bots play a critical role in a DDoS attack—they increase the number of computers used in the assault. While one computer can only send so many false requests, hundreds or thousands increase the potency of the attack many times over.
In December 2021, spam messages comprised 45.37% of all email messages. Spam is unwanted mail or other kinds of communication, often designed to trick someone into clicking a link that downloads malware. These are often made possible by spambots. Since a single person can only create so many email accounts at once, hackers use spam bots to make fake accounts and then send spam from them. In this way, a single hacker can attack thousands of computers a day.
While many people can recognize spam emails, even if just one in 1,000 recipients clicks on a malicious link or file, the attack has succeeded. By using spambots, hackers greatly increase their odds of success.
Trends in the Automated Attack Landscape and Their Impact on Businesses
A threat landscape study by Radware reveals that the number of bad bots has increased at a rate of 20% year-over-year. The result is excessive bot traffic that users have to defend against using sophisticated, bandwidth-consuming measures such as firewalls and load balancers.
Bots have become increasingly sophisticated as well. For instance, 38% of malicious bots are used to execute account takeovers, which involve a relatively complicated set of steps designed to imitate human behavior.
Why Ransomware Is the Most Common Attack Trend
Botnets are very effective at spreading malware, and ransomware has become an increasingly popular attack payload for botnets to deliver. A recent FortiGuard Threat Landscape Report found that ransomware attacks have resulted in settlements across the threat landscape to the tune of hundreds of thousands—and even millions—of dollars.
Ransomware is the most common attack method among cybercriminals, largely because of the huge potential for payoff. For example, if a botnet successfully installs ransomware on a system that’s essential to the day-to-day function of a major company, the company may reason it would make more financial sense to give the attackers a few thousand dollars than hold out and lose millions. Knowing this to be the case, hackers have been launching more and more ransomware attacks using botnets.
Avoid Bots and Stay Cybersafe
One of the most significant trends in bot evolution is their role in ransomware attacks. To beat bots, consider using firewalls and anti-malware measures that prevent them from relaying messages back to the command-and-control (C&C) center, which sends communications to compromised systems and collects stolen data. With anti-malware and firewalls, even if you get infected, you can stop bots from communicating with the collective—and avoid even more widespread damage.